"... an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained."
- from Patrick Seybold, Sr. Director, Corporate Communications & Social Media
Newer reports from the forensic team indicate all personal data stored with your PSN account has been compromised. Everything including name, address, birth date, the answers to your account reset questions, email address, and passwords.
Coming on the heels of this great post from the Guardian, it simply reinforces the reasons we all originally wanted to get away from the monolithic IBM corp and their "dumb terminal" model of client-server processing. Companies ask me to "trust them" with all kinds of information that is a terrible security risk. It has been demonstrated many times now that most of these companies will either neglect to properly secure their network, fail to use even the simplest security procedures (storing passwords in plaintext, no encryption) or will even sell your data to the highest bidder.
And they want me to trust them with my data? Because it makes their targeted marketing easier and more profitable? And for that I get to pay them money?
At this point in time, no one really trusts Sony anymore to give them the whole truth, especially coming on the heels of their settlement with GeoHot for hacking the "other OS" functionality which was originally a major selling point for the PS3 and which Sony subsequently disabled in several "updates" to the console. Rumors abound of Sony rebuilding their network to destroy the regained functionality of the firmware-modded PS3.
I personally am wary of the rush to distributed computing which goes by the trendy and amazin' *insert sparklies here* name of "cloud computing." The infrastructure is being pushed together hastily; security auditing is often minimal in the "rush to market" and the time-honored wisdom of 'not putting all your eggs in one basket' seems to have gone the way of most sensible and tested business advice and ideas in this modern rush for "newersexierbetterMOAR! because... it's the internet!"
That, on top of the hundreds of stories of company malfeasance, collusion with marketeers and underhanded dealings with consumers (Sony rootkit, anyone?) makes me wary of trusting companies who want my trust and yet have not demonstrated a reason for me to believe their interests coincide with mine as a consumer. And it makes me wary of putting all my data "out there in the cloud" instead of on my desktop where I can control access.
And oh yeah... there's that little Apple iPhone tracking problem too...